The Belgian Data Protection Authority (Belgian DPA) announced, on May 25, 2023, its decision no. 61/2023, as issued on May 24, 2023, in which it ordered the Belgian tax authority, FPS Finance, to cease the transfer to the US of tax data of Americans residing in Belgium, and issued the same with reprimands and compliance orders, for violation of Articles 5(2), 12(1), 14(1), 14(2), 24, and 35(1) of the General Data Protection Regulation (GDPR), following the receipt of two complaints, lodged by an individual and the Accidental Americans Association of Belgium (AAAB), respectively.

Background to the decision

The Belgian DPA reported that the complaints alleged that the exchange of information from FPS Finance to the U.S. Internal Revenue Service (IRS) under the Foreign Account Tax Compliance Act (FATCA) is contrary to the GDPR. In this regard, the Belgian DPA explained that, under FATCA, domestic financial institutions are required to forward data relating to US citizens residing abroad to the tax authority of the country of establishment, and that such authorities, in turn, are mandated to transfer data to the IRS.

The Belgian DPA outlined that, against this claim, FPS Finance invoked the exception provided for in Article 96 of the GDPR, whereby international agreements involving the transfer of personal data to third countries or international organizations concluded before the entry into force of the GDPR may nevertheless remain in force, provided that they comply with the law as applicable prior to the GDPR. 

Findings of the Belgian DPA

The Belgian DPA took the view that the generalized and undifferentiated transfer of tax data provided under FATCA breaches the principle of purpose limitation of the GDPR, as FATCA does not contain exact objectives for the transfer of data, as well as the principles of proportionality and data minimization of the GDPR, considering that only data strictly necessary for the purposes sought, in this case combatting tax fraud, could be processed lawfully. As such, the Belgian DPA prohibited the processing of tax data by FPS Finance in the application of FATCA.

In addition, the Belgian DPA found FPS Finance in breach of Articles 5(2), 12(1), 14(1), 14(2), 24, and 35(1) of the GDPR.

Outcomes

As a result, the Belgian DPA issued the aforementioned prohibition and also issued FPS Finance with:

• a reprimand with regard to the violation of Articles 12(1), 14(1), and 14(2) of the GDPR, together with a compliance order to inform in a complete and accessible manner the data subjects of the data processing carried out as part of FATCA and of its modalities;
• a reprimand with regard to the violation of Article 35(1) of the GDPR and a compliance order to perform a Data Protection Impact Assessment; 
• a reprimand with regard to the violation of Articles 5(2) and 24 of the GDPR; and
• an order to document its compliance with the above and to provide the Belgian DPA with such evidence within three months of the notification of the decision.

The parties may appeal the decision.

You can read the announcement here and the decision, only available in French, here.